e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4

General

Target

e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe
Size

78KB
MD5

44670034b7ac83d6a9ca82b2994df75b
SHA1

cf65e71b667435c8b4294c82db41c7244981a46b
SHA256

e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4
SHA512

f4373697dd2e133d08e8963138929d4b8496286d1d2b342eaba741614a6e146d5da4923d23787b0139387660d5848c70b6c5496a4d23d9302acd20700edaca8b
SSDEEP

1536:3PWV5jPLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti67M9/X1SK:3PWV5jTE2EwR4uY41HyvYDM9/X

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2260	tmpECEE.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2696	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe
2696	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpECEE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpECEE.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe
Token: SeDebugPrivilege	2260	tmpECEE.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2700	2696	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	30
PID 2696 wrote to memory of 2700	2696	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	30
PID 2696 wrote to memory of 2700	2696	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	30
PID 2696 wrote to memory of 2700	2696	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	30
PID 2700 wrote to memory of 2824	2700	vbc.exe	32
PID 2700 wrote to memory of 2824	2700	vbc.exe	32
PID 2700 wrote to memory of 2824	2700	vbc.exe	32
PID 2700 wrote to memory of 2824	2700	vbc.exe	32
PID 2696 wrote to memory of 2260	2696	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	33
PID 2696 wrote to memory of 2260	2696	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	33
PID 2696 wrote to memory of 2260	2696	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	33
PID 2696 wrote to memory of 2260	2696	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	33

C:\Users\Admin\AppData\Local\Temp\e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe
"C:\Users\Admin\AppData\Local\Temp\e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q3dx--oa.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE26.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Users\Admin\AppData\Local\Temp\tmpECEE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpECEE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEE27.tmp

Filesize
1KB

MD5
809e7ff405d1aee1c511e41aa2eb3bf7

SHA1
48bcea86be4233c9419342e984bba76e11c676be

SHA256
3c2aed28730a8e47cc7132e2f8ed7fe401457f099304e1b404d75f954b1deba1

SHA512
b740b3993ee91c321859f3e57993f5137c112d7bb668fae79b67b7f3cce28c6f02ac6280ecd32913dfc7edb35ee685297640f1fbce1f7cec22760e57635c0741

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3dx--oa.0.vb

Filesize
14KB

MD5
f7a4f0a984bbe0dcae4975f54cebd49e

SHA1
9b6e61e049811e40ff0bbaa7ecbca9e74fcc9de4

SHA256
9466fcda4958540181158c77db3c156165adf1805834167c0fd8f224fecf944f

SHA512
0a209032ea80e1e711fb4a14515de953b3a13625e14004b5cd593dd2bedd3ea14f666a65ecf914aa23e3b651725f9fdfdc5e73bf9bf21b6f63cd0c7c928aaa42

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3dx--oa.cmdline

Filesize
266B

MD5
0f20221f54a458f7ef17e97bbf5d0d31

SHA1
310543adb0eabf825e5da2763ae6d57f41062913

SHA256
38e1f461a48fbdd4e4ef4560e41d5f0915cdfa3d3d67691e53c3790b460657ea

SHA512
20126eb97e9771754f81fb210d1c536da15ce2f7f9d2194069b66e91437c60bb01bb5db761b23a166d62d2773eab7690a8e3f8c0a9bd89fe30386bbd1fc2fba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpECEE.tmp.exe

Filesize
78KB

MD5
a8056367a34894b7d70b121117aff2ed

SHA1
14f391ee5e02f22599f8cf47891a0bcae7bcf5d9

SHA256
8a85ac615e66cbab07e098b6c3eae12301b10f1fb1cf284827361313efc565e6

SHA512
2c27d82f483b41d0059cdd493ac2984e20b9d714297e05f2611f5b20adb193d6e7f02cc798efd753a859fbee9663a9446a3a80b28ebcb34389ef535c9946d371

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEE26.tmp

Filesize
660B

MD5
52a5bc4bba78bff88573e250726bf754

SHA1
5d7e1679ff87a288a8b56a36e516e4178efffef6

SHA256
9756e8e0447b6f93ccb270135d58fe30b9ab1f02ca0dc8f1efa11af4c8a423df

SHA512
85274a018fd40970a34fb6999af0de4ba18598a0ee007b43c8f45fb64f88ea40c9b625eec9ace11847588a60c21c21281238803e1f4f59ea32e2199e7ac000cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2696-0-0x0000000074601000-0x0000000074602000-memory.dmp

Filesize
4KB

Download
memory/2696-1-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-2-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-24-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-8-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-18-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads